“Let me be represented as one who trusts his senses, who thinks he knows the things he sees and feels, and entertains no doubts of their existence.” -- Bishop Berkeley

News

Loading...

Friday, March 02, 2012

Passwords

Since Brad DelLong mentioned them today, I will give you my method for generating hard-to-crack but easy-to-remember passwords.

First, pick six or so events, the dates of which you know you will never forget. To help illustrate, I will choose one myself: the execution of Charles I of England in 1649.

Now, take the first four letters of a phrase or word describing the event. We will use "Charles," giving us:

char

Now, we are going to interleave these with the date. You should generate your own method of doing this, and then use that method with all of your events. Here, we will go 2-2-2-2, like this:

ch16ar49

Now, at the same place each time you need a new password, insert a punctuation mark of your choice--here, let's say you decide to always insert a # character, in the second place, like this:

c#h16ar49

Now, pick on letter to capitalize. Again, you will capitalize the same letter each time you use an event to get a new password. So now we have:

c#h16aR49

I submit to you that that password will be pretty hard to crack, and the password strength analyzers agree. (It scores 100% here.) But once you practice this method just a little bit, the password will be easy for you to remember. You only need to recall which event from your list you used, and your rules for how to interleave the numbers and letters, where to capitalize, and where to insert a punctuation mark.

Now, you can also vary from this (now published) method in simple ways that amplify the difficulty in cracking your password, even for someone who has read this post. You could use five, or six letters from the event name, instead of four. You could peel off letters back-to-fron instead of front-to-back. You could use all caps except for one lower case. You could add the month in to get more numbers. You could use two punctuation marks. You could use the date in reverse. And so on.

Once you have done a couple of personal modifications like that, I submit that no one will be able to crack your password in any reasonable number of guesses even if they were sitting at your computer, you had written down the events, and they had the list in hand. Think of all the permutations: they have to guess which of your events you are using at present, how many letters and numbers you use from each, how you interleave them, how you mix upper and lower case, in what order you peel off letters and digits, which punctuation marks you use, and where you place them in your password. I quickly count 32 available punctuation marks on my keyboard, times 2 choices for how many to use, times 3 choices for how many letters to use, times 3 choices for how many digits to use, times 9! or 362,880 ways to interleave them (if you chose 4 and 4 and 1 punctuation mark as we did above)... well, that is already over 200 million possibilities.

But these are all simple rules. You just memorize them once, practice them half-a-dozen times, and you are good to go: you will never have to choose between using a trivial to crack password like your name or birthday and writing down your difficult password -- one of the worst security breaches of all! -- again.